Re: [mediacapture-main] Iframe sandboxing options for gUM from Harald Alvestrand via GitHub on 2015-12-02 (public-media-capture-logs@w3.org from December 2015)

From: Harald Alvestrand via GitHub <sysbot+gh@w3.org>
Date: Wed, 02 Dec 2015 15:28:16 +0000
To: public-media-capture-logs@w3.org
Message-ID: <issue_comment.created-161332275-1449070095-sysbot+gh@w3.org>

Den 02. des. 2015 16:10, skrev Dominique Hazael-Massieux:
> there are two types of sandboxing:
> 
>   * |<iframe sandbox="allow-foo allow-bar">|
>     
<https://html.spec.whatwg.org/multipage/embedded-content.html#attr-iframe-sandbox>
>   * |<iframe allow-foo>|
>     
<https://html.spec.whatwg.org/multipage/embedded-content.html#attr-iframe-allowfullscreen>
> 
> The first one has for effect that by default, you get an iframe that
 has
> many features cut-off, and get specific features re-enabled via the
> keywords |allow-foo| and |allow-bar| in my example. The currently
> recognized features are: |allow-forms, allow-modals, 
allow-pointer-lock,
> allow-popups, allow-popups-to-escape-sandbox, allow-same-origin,
> allow-scripts, and allow-top-navigation|.

So if you don't have a sandbox attribute, modals (for instance) are
allowed, but if you have a sandbox attribute with an empty value, 
modals
are disallowed?

> The second one has only been defined for fullscreen at the moment; 
in
> that model, fullscreen is disabled by default in any iframe, and can
> only be enabled specifically by adding that attribute.
> 
> While I think it would be useful to think about both getUserMedia 
and
> WebRTC impact on the sandbox attribute, I think in this particular 
case,
> we're really thinking about the second model, and whether to take 
the
> lenient backwards-compatible appraoch (which would require a
> |disallowusermedia| attribute) or to take the more stringent likely 
not
> bw-compatible approach, with an |allowusermedia| attribute.
> 
> I personally think the latter is cleaner, but we would need 
visibility
> on the deployment reality to determine if that's still an option.

Seems that people who use the sandbox attribute would care about
restricting the capabilities of the iframe, so would be happy (?) to 
see
usermedia starting out as default off, while people who don't use it
would perhaps want the default (with no sandbox attribute) to be the
status quo - that it's allowed on.

Would that be the best of all possible worlds?


-- 
GitHub Notification of comment by alvestrand
Please view or discuss this issue at 
https://github.com/w3c/mediacapture-main/issues/268#issuecomment-161332275
 using your GitHub account

Received on Wednesday, 2 December 2015 15:28:19 UTC